Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Identification and Authentication.

Published byDarcy Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Identification and Authentication."— Presentation transcript:

1 Access Control Identification and Authentication

2 SECURITY INNOVATION ©2003 2 Security Policy: Generally speaking, a security policy describes how people may access documents or other information. A computer’s version of a security policy consists of a precise set of rules for determining authorization as a basis for making access control decisions. This section and the following section present several security policies that are commonly implemented in computer systems.

3 SECURITY INNOVATION ©2003 3 Security Policy: Policies presented include: –Access to systems based upon user identification. –Access to objects (such as files, directories, etc.) based upon user identification, where owners of objects can, at their discretion, grant access to other users. –Access to objects (such as files, directories, etc.) based upon the clearance level of the user.

4 SECURITY INNOVATION ©2003 4 System Access Control Controlling Access to the System Physically –Guards need at least 4 for 24-hour coverage must recognize someone, or token no record of access –Locks cheaper than a guard no record of access

5 SECURITY INNOVATION ©2003 5 Identification and Authentication Controlling Access to the System Using Identification and Authentication Two Step Process Identification –Telling the system who you are. Authentication –Proving to the system that you are who you say you are. Three classic ways of establishing proof. –Something you know. –Something you have. –Something you are.

6 SECURITY INNOVATION ©2003 6 Benefits of Identification and Authentication Can provide a complete log of access and attempted accesses. Access privileges granted/removed quickly

7 SECURITY INNOVATION ©2003 7Passwords Something you know. –Agreed upon code words entered by user. Subject to: –Loss –Disclosure –Attack

8 SECURITY INNOVATION ©2003 8 Attacks on Passwords Brute force attack. –Try all words. Probable password attack. –Try short words. –Try common words. Probable user password attack. –Family names. –Birth dates.

9 SECURITY INNOVATION ©2003 9 Password File Conventional encryption. –Enter password. –Decrypt stored password from table. –Compare passwords. One way cipher. –Enter password. –Encrypt password. –Compare to encrypted password.

10 SECURITY INNOVATION ©2003 10 Attacks Using Password File Readable password file. Backup tapes.

11 Guessing Passwords

12 SECURITY INNOVATION ©2003 12 Password Space: The password space is the set of all passwords. The size of a password space is determined by: –The length of passwords, denoted by L. –The size of the password alphabet, denoted by A. If passwords only consist of lower case letters, A = 26. If passwords consist of lower and upper case letters and digits, A = 62. The size of the password space is A L.

13 SECURITY INNOVATION ©2003 13 Brute Force: exhaustively trying all passwords On the average, you will need to try half of them. On a 400-MHz Quad Pentium II, L0phtcrack (LC4) can try every 7 character alphanumeric password in 5.5 hours. …every possible 7 character keyboard password in 480 hours (~94 7 =64850000000000). Zn5e937o72q204 - 1 day to crack picnic - 30 seconds to crack

14 SECURITY INNOVATION ©2003 14 Exhaustively trying all passwords: Consider that at one of the largest technology companies, where policy required that passwords exceed 8 characters, mix cases, and include numbers or symbols... LC4 obtained 18% of the passwords in 10 minutes 90% of the passwords were recovered within 48 hours on a Pentium II/300 The Administrator and most Domain Admin passwords were cracked

15 SECURITY INNOVATION ©2003 15L0phtcrack 2 Passwords <1 second

16 SECURITY INNOVATION ©2003 16 But my system uses 128-bit encryption…. Many keys generated from passwords or passphrases A system that accepts 10 character ASCII passwords might require 80 bits However passwords have <4 bits entropy per character. Now we are down to 40 bits…. Time to solution measured in minutes….

17 Password Issues

18 SECURITY INNOVATION ©2003 18 Password Issues Sane password management –You can't improve the performance of human memory by making rules or even by restricting password selection. lost passwords represent 20% to 50% of help desk calls and cost $80 each to resolve. –The help desk process also opens the risk of social engineering attacks on password protected resources. –Many people try to avoid the help desk by writing down their passwords, and that introduces yet another dynamic into the security mix.

19 SECURITY INNOVATION ©2003 19 Password Issues Strong passwords that resist dictionary attacks should contain at least eight characters and a mixture of upper- and lowercase letters, digits, and special characters. Reusable passwords should never be used over the Internet unless they are encrypted by a strong, separately established cryptographic key. Consider one-time password authentication tokens, smart cards, or similar devices

20 SECURITY INNOVATION ©2003 20 Implementation Issues: System may actually give away information. –Which part of login is incorrect. –Which system is being accessed. Limit access attempts. Enforce password time limits. Employ password checking programs. –Proactive checkers are best. –Ensures adequate password length. –Ensures adequate password alphabet (forces the inclusion of capital letters, punctuation, or numbers). –Avoids the use of English words.

21 Authentication Devices

22 SECURITY INNOVATION ©2003 22 Tokens and Smart Cards Something you have. –A token is an object which authenticates its possessor. –Must be unforgettable and unique. –Not foolproof since it may be lost or stolen. –Smart card may compute the response to challenge. –Smart card may perform encryption.

23 SECURITY INNOVATION ©2003 23 Personal Characteristic Recognition (Biometric Devices) Something you are. –Retinal scanners. –Palm/fingerprints. –Voice pattern recognition. –Difficult for imposter to duplicate.

24 SECURITY INNOVATION ©2003 24 Challenge and Response Systems Something you have and something you know. Passwords are in the clear from time of entry until accepted by host. –Normal passwords are static.

25 SECURITY INNOVATION ©2003 25 Challenge and Response Systems Challenge and reply systems create a pseudo one time password system. –Passwords become dynamic. To ensure security: –Encryption keys should be changed regularly. –Algorithms should be changed occasionally. Challenge and reply systems are most appropriate for host-to-host communications because of the computing power available. This method affords authentication and identification as well as eliminates the replay problem.

26 Login Spoofing

27 SECURITY INNOVATION ©2003 27Problem: A key logger is malicious software that is installed and left running as a background process. “Our keylogger has unique remote installation feature. You can attach keylogger to any other program and send it by e-mail to install on the remote PC in the stealth mode. Attach keylogger to a beautiful screensaver and send it to your friend!” “…… is the first keylogger which is absolutely invisible in the Windows NT/2000/XP Task Manager!”

28 SECURITY INNOVATION ©2003 28Keylogger System Password

29 SECURITY INNOVATION ©2003 29 Keylogger Insider Attack Instant privilege escalation. Install a keylogger on a machine with user privilege. Call the help desk and report a problem with the machine. The first technician to your machine will immediately log in to their system account.

30 SECURITY INNOVATION ©2003 30Solution: The Trusted Path Two components can mutually authenticate each other so that no impersonation can take place. When the trusted path is invoked, all user processes to a terminal are killed and the system trusted path screen or menu is displayed. –It provides a means where the user can be sure that they are communicating with the REAL system. –Before logging in, users ALWAYS invoke the trusted path.

31 SECURITY INNOVATION ©2003 31Solution: An example of establishing a trusted path: CTRL+ALT+DEL. This is NT's default Security Attention Sequence The SAS is a signal to the operating system that someone is trying to logon. After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled. In theory during this pausing of applications, logon related Trojans, and key loggers are stopped.

32 SECURITY INNOVATION ©2003 32Note: Passwords and biometric devices are ONLY good for authenticating the user to the system. A trusted path is required to authenticate the system to the user. Identification and Authentication consists of both identifying and authenticating the user to the system and identifying and authenticating the system to the user.

Download ppt "Access Control Identification and Authentication."

Similar presentations

Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.

Cryptology Passwords and Authentication Prof. David Singer Dept. of Mathematics Case Western Reserve University.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.

COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Access Control Methodologies

Access Control Methodologies
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.

Next Generation Two Factor Authentication. Laptop Home / Other Business PC Hotel / Cyber Café / Airport Smart Phone / Blackberry 21 st Century Remote.
Information Security Policies and Standards

Information Security Policies and Standards
CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukAuthentication Systems1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.
OV 11 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.

OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.

Csci5233 Computer Security1 Bishop: Chapter 12 Authentication.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication.

CSC 386 – Computer Security Scott Heggen. Agenda Authentication.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Similar presentations

Ads by Google